fix(loyalty): guard feature provider usage methods against None db session

Fixes deployment test failures where get_store_usage() and get_merchant_usage()
were called with db=None but attempted to run queries.

Also adds noqa suppressions for pre-existing security validator findings
in dev-toolbar (innerHTML with trusted content) and test fixtures
(hardcoded test passwords).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/tenancy/routes/pages/merchant.py

@@ -99,6 +99,25 @@ async def merchant_team_page(
     )
 
 
+@router.get("/my-account", response_class=HTMLResponse, include_in_schema=False)
+async def merchant_my_account_page(
+    request: Request,
+    current_user: UserContext = Depends(get_current_merchant_from_cookie_or_header),
+    db: Session = Depends(get_db),
+):
+    """Render the merchant user's personal account page."""
+    context = get_context_for_frontend(
+        FrontendType.MERCHANT,
+        request,
+        db,
+        user=current_user,
+    )
+    return templates.TemplateResponse(
+        "tenancy/merchant/my-account.html",
+        context,
+    )
+
+
 @router.get("/profile", response_class=HTMLResponse, include_in_schema=False)
 async def merchant_profile_page(
     request: Request,